An encryption-free technique for enabling the self-authentication of value documents (including personal and commercial checks) presented at a point of purchase or financial institution. Certain data contained on the value document may be signed with a first digital signature and authenticated with a public key certificate issued from a trusted certificate authority. The signed data and public key certificate are stored on the value document, preferably in a two-dimensional bar code data format. In the case of certain personal value documents (such as checks, credit cards, passports, birth certificates, Social Security cards, etc.), a unique personal identification number (PIN) also may be included in the document data that is signed by a second digital signature. At a point of purchase, a merchant or teller can scan and read the data stored in the two-dimensional bar code and other magnetically recorded information, and together with the PIN the customer provides, can authenticate the value document thus presented using the second digital signature. Alternatively, if the customer is not present, if the personal value document contains the second digital signature, the document may be verified using a PIN-generating algorithm or other method that generates all permutations of PINs. The first digital signature alone may be used to authenticate selected data within the personal value document even when the PIN is not available. Similarly, in the case of a commercial value documents, authentication of pre-printed data may be based entirely upon only the first digital signature.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A system for creating a self-authenticating document having critical document data, the self-authenticating document comprising: a first digital signature including a first digest of said critical document data; a second digital signature including a second digest of said critical document data and a personal identification number (PIN); and, a public key certificate including an authentic public key for validating said first and second digital signatures, wherein said first digital signature, said second digital signature, and said public key certificate are stored in machine-readable format on said self-authenticating document.
2. The self-authenticating document of claim 1 , wherein said critical document data includes data contained in a magnetic ink character recognition (MICR) code line on said self-authenticating document.
3. The self-authenticating document of claim 2 , wherein said critical document data further includes ASCII text from said document.
4. The self-authenticating document of claim 3 , wherein said ASCII text is the account name and address printed on said self-authenticating document.
5. The self-authenticating document of claim 2 , wherein said document is a personal value document.
6. The self-authenticating document of claim 5 , wherein said personal value document is a personal check.
7. The self-authenticating document of claim 5 , wherein said personal value document is selected from the group consisting of: an identification card, a Social Security card, a driver's license, a birth certificate, a credit card, a voter's registration card, and a passport.
8. The self-authenticating document of claim 1 , wherein said machine-readable format is a bar code.
9. The self-authenticating document of claim 8 , wherein said bar code format is PDF 417.
10. The self-authenticating document of claim 8 , wherein said bar code comprises a plurality of data fields.
11. The self-authenticating document of claim 10 , wherein said bar code includes: a first data field including data representing the number of bytes of data in said bar code; a second data field including said public key certificate; a third data field including data representing the number of bytes of data in said critical document data; and, a fourth data field including said critical document data.
12. The self-authenticating document of claim 11 , wherein said bar code further includes a fifth data field including said second digital signature.
13. The self-authenticating document of claim 11 , wherein said bar code further includes a sixth data field including said first digital signature.
14. A system for creating a self-authenticating document having critical document data, the self-authenticating document comprising: a digital signature including a digest of said critical document data and personal identification number (PIN); and, a public key certificate including an authentic public key for validating said digital signature, wherein said digital signature and said public key certificate are stored on said self-authenticating document, wherein said public key certificate further includes identity information of the owner of said authentic public key and a digital signature of said authentic public key and said owner identity information, and wherein said digital signature is issued by a third party, and wherein said digital signature and said public key certificate are stored in machine-readable format on said self-authenticating document.
15. The self-authenticating document of claim 14 , wherein said document is a personal value document.
16. The self-authenticating document of claim 15 , wherein said personal value document is a personal check.
17. The self-authenticating document of claim 15 , wherein said personal value document is selected from the group consisting of: an identification card, a Social Security card, a driver's license, a birth certificate, a credit card, a voter's registration card, and a passport.
18. The self-authenticating document of claim 15 , wherein said critical document data includes data contained in a magnetic ink character recognition (MICR) code line on said self-authenticating document.
19. The self-authenticating document of claim 18 , wherein said critical document data further includes ASCII text from said self-authenticating document.
20. The self-authenticating document of claim 19 , wherein said ASCII text is the account name and address printed on said self-authenticating document.
21. The self-authenticating document of claim 14 , wherein said machine-readable format is a two-dimensional bar code.
22. The self-authenticating document of claim 21 , wherein said two-dimensional bar code format is PDF 417.
23. The self-authenticating document of claim 21 , wherein said two-dimensional bar code comprises a plurality of two-byte data fields.
24. The self-authenticating document of claim 23 , where said two-dimensional bar code includes: a first data field including data representing the number of bytes of data in said bar code; a second data field including said public key certificate; a third data field including data representing the number of bytes of data in said critical document data; and, a fourth data field including said critical document data.
25. The self-authenticating document of claim 24 , wherein said two-dimensional bar code further includes a fifth data field including said digital signature.
26. The self-authenticating document of claim 14 , wherein said personal identification number is a four digit number comprising four bytes of data.
27. The self-authenticating document of claim 14 , wherein said personal identification number is selected by the owner of said personal value document.
28. The self-authenticating document of claim 14 , wherein a third party responsible for printing said personal value document selects said personal identification number.
29. The self-authenticating document of claim 14 , wherein a third party responsible for issuing said personal value document selects said personal identification number.
30. The self-authenticating document of claim 14 , wherein the digital signature algorithm used to create said digest of said digital signature is a public key cryptographic algorithm.
31. The self-authenticating document of claim 30 , wherein said digital signature algorithm is an elliptic curve digital signature algorithm (ECDSA).
32. The self-authenticating document of claim 14 , wherein said third-party digital signature is created using the elliptic curve digital signature algorithm (ECDSA).
33. The self-authenticating document of claim 32 , wherein said ECDSA algorithm includes a first group of shared parameters for implementing said digital signature.
34. The self-authenticating document of claim 33 , wherein said ECDSA used to create said third-party digital signature includes a second group of shared parameters for implementing said third-party digital signature.
35. The self-authenticating document of claim 34 , wherein said first group of shared parameters is the same as said second group of shared parameters.
36. The self-authenticating document of claim 34 , wherein said first group of shared parameters is different from said second group of shred parameters.
37. The self-authenticating document of claim 34 , wherein said first and second groups of shared parameters is distributed to a community of users of said self-authenticating document.
38. The self-authenticating document of claim 37 , wherein said third party is a certificate authority.
39. The self-authenticating document of claim 37 , wherein said community of users includes a party responsible for issuing said self-authenticating document, a party responsible for printing said self-authenticating document, and said certificate authority.
40. The self-authenticating document of claim 39 , wherein said community of users further includes an owner of said self-authenticating document.
41. The self-authenticating document of claim 14 , when said public key certificate is affixed to said self-authenticating document by a third party responsible for printing said self-authenticating document.
42. The self-authenticating document of claim 14 , wherein said public key certificate is affixed to said self-authenticating document by a third party responsible for issuing said public key certificate.
43. The self-authenticating document of claim 42 , wherein said third party is a certificate authority.
44. A system for creating a personal value document, the personal value document comprising: a first digital signature including a first digest of critical document data, said critical document data including data contained in a magnetic ink character recognition (MICR) code line on said personal value document; a second digital signature including a second digest of said critical document data and a personal identification number (PIN); and, a public key certificate including an authentic public key for validating said first and second digital signatures, wherein said first digital signature, said second digital signature, and said public key certificate are stored in a bar code format on said personal value document.
45. The personal value document of claim 44 , wherein said personal value document is a personal check.
46. The personal value document of claim 44 , wherein said critical document data further includes ASCII text from said personal check.
47. The personal value document of claim 46 , wherein said ASCII text is the account name and address printed on said personal check.
48. The personal value document of claim 46 , wherein said bar code comprises a plurality of date fields, including: a first data field including data representing the number of bytes of data in said bar code; a second data field including said public key certificate; a third data field including data representing the number of bytes of data in said critical document data; and, a fourth data field including said critical document data.
49. The personal value document of claim 48 , wherein said two-dimensional bar code further includes: a fifth data field including said second digital signature; and, a sixth data field including said first digital signature.
50. The personal value document of claim 44 , wherein the digital signature algorithm used to create said first digest of said first digital signature and said second digest of said second digital signature is a public key cryptographic algorithm.
51. The personal value document of claim 50 , wherein the digital signature algorithm used to create said first digest is the elliptic curve digital signature algorithm (ECDSA).
52. The personal value document of claim 51 , wherein the digital signature algorithm used to create said second digest is the elliptic curve digital signature algorithm (ECDSA).
53. The personal value document of claim 44 , wherein said personal identification number is selected by the owner of said value document.
54. The personal value document of claim 52 , wherein said public key certificate further includes identity information of the owner of said authentic public key and a digital signature of said authentic public key and said owner identity information, and wherein said digital signature is issued by a certificate authority.
55. The personal value document of claim 54 , wherein said ECDSA used to create said first and second digital signatures respectively includes a first group of shared parameters for implementing said first and second digital signatures, and wherein said ECDSA used to create said certificate authority digital signature includes a second group of shared parameters for implementing said certificate authority digital signature.
56. The personal value document of claim 55 , wherein said first group of shared parameters is the same as said second group of shared parameters.
57. The personal value document of claim 55 , wherein said first group of shared parameters is different from said second group of shared parameters.
58. The personal value document of claim 55 , wherein said first and second groups of shared parameters is distributed to a community of users of said personal value document.
59. The personal value document of claim 58 , wherein said community of users includes a party responsible for issuing sad personal value document, a party responsible for printing said personal value document, and said certificate authority.
60. The personal value document of claim 59 , wherein said community of users further includes an owner of said personal value document.
61. The personal value document of claim 44 , wherein said first and second digital signatures, and said public key certificate are affixed to said personal value document by a third party responsible for printing said personal value document.
62. A method for creating a self-authenticating document having critical document data, said critical document data including machine-readable data printed on said self-authenticating document, said method comprising the steps of: creating a first digital signature by signing said critical document data with a digital signature algorithm; creating a second digital signature by signing said critical document data critical document data and a personal identification number (PIN) with said digital signature algorithm; retrieving a public key certificate including an authentic public key for validating said first and second digital signatures; and, affixing said first and second digital signatures and said public key certificate to said self-authenticating document in a machine-readable format.
63. The method of claim 62 , wherein said critical document data includes ASCII text from said self-authenticating document, and further comprising the step of: storing said ASCII text in a machine-readable format on said self-authenticating document prior to said first digital signature creating step.
64. The method of claim 62 , further comprising the steps of: selecting a group of shared parameters corresponding to said digital signature algorithm for implementing said first and second digital signatures; generating a public key and a private key using said shared parameters; certifying said public key via a certificate authority, wherein said selecting, generating and certifying steps are carried out prior to said first digital signature creation step.
65. The method of claim 62 , wherein said step of creating said first digital signature includes the substeps of: generating a public key and a private key using said digital signature algorithm; assembling said critical document data from said self-authenticating document; and, applying said private key generated by said digital signature algorithm to said critical document data to create said first digital signature.
66. The method of claim 65 , wherein said step of creating said second digital signature includes the substeps of: generating said personal identification number (PIN); appending said personal identification number (PIN) to said critical document data to create an authenticatable data string; and, applying said private key generated by said digital signature algorithm to said authenticatable data string to create said second digital signature.
67. The method of claim 66 , wherein said digital signature algorithm is an elliptic curve digital signature algorithm (ECDSA).
68. The method of claim 66 , wherein said step of affixing said first and second digital signatures to said self-authenticating document includes the substeps of: assembling a k-byte data string, wherein k includes the number of bytes in said critical document data, said authenticatable data, and said public key certificate; and, generating a machine-readable data string from said k-byte data string.
69. The method of claim 68 , further comprising the step of calculating the total amount of bytes of data, k, including said critical document data, said authenticatable data string, and said public key certificate, prior to said k-byte data string assembling step.
70. The method of claim 69 , wherein said first and second digital signatures and said public key certificate are affixed in bar-code format to said self-authenticating document, and wherein said step of generating said machine readable data string comprises the substep of converting said k-byte data string into bar code print data.
71. A method for creating a self-authenticating document having critical document data, said critical document data including machine-readable data printed on said self-authenticating document, said method comprising the steps of: creating a first digital signature by signing said critical document data with a digital signature algorithm; creating a second digital signature by signing said critical document data and a personal identification number (PIN) with said digital signature algorithm retrieving a public key certificate including an authentic public key for validating said first and second digital signatures; determining whether said second digital signature is to be affixed to said self-authenticating document; determining whether said first digital signature is to be affixed to said self-authenticating document; affixing said public key certificate and at least one of said first digital signature and said second digital signature to said self-authenticating document in machine-readable code, based on the results of the second digital signature and first digital signature determining steps.
72. The method of claim 71 , wherein said critical document data includes ASCII text from said self-authenticating document, and further comprising the step of: storing said ASCII text in a machine-readable format on said self-authenticating document prior to said first digital signature creating step.
73. The method of claim 71 , further comprising the steps of: selecting a group of shared parameters corresponding to said digital signature algorithm for implementing said at least one of said first and second digital signatures; generating a public key and a private key using said shared parameters; certifying said public key via a certificate authority, wherein said selecting, generating and certifying steps are carried out prior to said first digital signature creation step.
74. The method of claim 71 , said step of creating said first digital signature includes the substeps of: generating a public key and a private key using said digital signature algorithm; assembling said critical document data said self-authenticating document; and, applying said private key generated by said digital signature algorithm to said critical document data to create said first digital signature.
75. The method of claim 74 , said step of creating said second digital signature includes the substeps of: generating said personal identification number (PIN); appending said personal identification number (PIN) to said critical document data to create an authenticatable data string; and, applying said private key generated by said digital signature algorithm to said authenticatable data string to create said second digital signature.
76. The method of claim 71 , wherein said digital signature algorithm is an elliptic curve digital signature algorithm (ECDSA).
77. The method of claim 71 , wherein if it is determined that said first digital signature is to be affixed to said self-authenticating document, said step of affixing said first digital signature to said self-authenticating document includes the substeps of: assembling a k-byte data string, wherein k includes the number of bytes in said critical document data; and, generating a machine-readable data string from said k-byte data string.
78. The method of claim 71 , wherein if it is determined that said second digital signature is to be affixed to said self-authenticating document, said step of affixing said second digital signature to said self-authenticating document includes the substeps of: assembling a k-byte data string, wherein k includes the number of bytes in said authenticatable data string; and, generating a machine-readable data string from said k-byte data string.
79. The method of claim 71 , wherein if it is determined that said first and said second digital signatures are to be affixed to said self-authenticating document, said step of affixing said first and second digital signatures to said self-authenticating document includes the substeps of: assembling a k-byte data string, wherein k includes the number of bytes in said critical document data and said authenticatable data string; and, generating a machine-readable data string from said k-byte data string.
80. The method of claim 79 , further comprising the step of calculating the total amount of bytes of data, k, in said critical document data and said authenticatable data string prior to said k-byte data string assembling step.
81. A method of authenticating a self-authenticating document, comprising the steps of: processing machine-readable data on said self-authenticating document to obtain digital signature data and a public key certificate; processing said public key certificate to obtain public key certificate data including an authentic public key and a third-party digital signature, said public key certificate processing step including the substeps of: validating said public key certificate with a third-party public key by applying said third-party public key to said third-party digital signature; and, parsing said public key certificate to obtain said authentic public key; assembling critical document data from said self-authenticating document, wherein said critical document data includes at least magnetic ink character recognition (MICR) data printed on said self-authenticating document; determining whether an authentic personal identification number (PIN) is available for appending to said critical document data; wherein, if said authentic PIN is available; appending said authentic PIN to said critical document data to create an authenticatable data string; and, applying said authentic public key to said digital signature data to validate said authenticatable data string, wherein said self-authenticating document is authenticated if said authenticatable data string is validated.
82. The authenticating method of claim 81 , wherein said self-authenticating document is a personal check, and wherein said critical document data includes ASCII text printed on said personal check.
83. The authenticating method of claim 81 , further comprising the steps of: determining whether a first digital signature is present in said digital signature data, if it is determined that said authentic personal identification number (PIN) is not available; applying said authentic public key to said digital signature data to validate said critical document data, wherein said self-authenticating document is authenticated if said critical document data is validated.
84. The authenticating method of claim 83 , wherein if it is determined that said authentic PIN is not available and that said first digital signature is not preset in said digital signature data, further comprising the steps of: determining whether a second digital signature is present in said digital signature data, and, if said second digital signature is present; generating a plurality of PINs; appending each of said plurality of PINs to said critical document data to create a plurality of verifiable data strings; and, applying said authentic public key to said second digital signature in order to validate one of said verifiable data strings as said authenticatable data string and to authenticate said self-authenticating document.
85. The authenticating method of claim 84 , wherein said step of generating PINs is carried out in a document reading system executing a PIN-generating algorithm.
86. The authenticating method of claim 83 , wherein said machine-readable data is bar-code data, said machine-readable data processing step including the substeps of: retrieving said bar code data from said self-authenticating document; and, parsing data fields in said bar code data to obtain at least said public key certificate, said digital signature data, and k, where k, is the total number of bytes in said bar code data.
87. The authenticating method of claim 81 , wherein said third party is a certificate authority.
88. The authenticating method of claim 81 , wherein said public key certificate is comprised of m bytes, and wherein said public key certificate parsing substep includes the further substeps of: retrieving at least a first byte, c 1 , of said m bytes from said public key certificate, wherein said at least a first byte c 1 is a binary representation of said number of bytes m in said public key certificate; determining whether said binary representation of said number of bytes m in said at least a first byte c 1 , is greater than the number of bytes of data in said digital signature data, n; retrieving the remainder of said m bytes, if said determining step determines that said at least a first byte c 1 is greater than the number of bytes of data in said digital signature data, n; and, applying said authentic public key to said digital signature data in order to verify said at least one of said first and second digital signatures.
89. The authenticating method of claim 88 , wherein said public key certificate parsing substep includes the further substeps of: retrieving public key validity date data from said public key certificate; determining if said public key validity date data is within an accepted date range; and, validating said public key certificate with said public key validity date data, if said public key validity date data is within said accepted date range.
90. The authenticating method of claim 89 , wherein said public key certificate parsing substep includes the further substep of: issuing an alert if said public key validity date data is not within an accepted date range.
91. The authenticating method of claim 90 , wherein said public key certificate parsing substep includes the further substeps of: deciding whether to validate said public key certificate if said public key validity date data is not within an accepted date range, by checking guidelines issued by said third party.
92. The authenticating method of claim 90 , wherein said public key certificate parsing substep includes the further substeps of: deciding whether to validate said public key certificate if said public key validity date data is not within an accepted date range, by consulting a public key certificate database.
93. The authenticating method of claim 83 , further comprising the step of: presenting said self-authenticating document by an owner of said self-authenticating document to a commercial entity for authentication, wherein said presenting step is carried out prior to said machine-readable data processing step.
94. The authenticating method of claim 93 , wherein said authentic PIN-determining step further includes the substep of: determining whether an owner of said self-authenticating document is available to input said authentic PIN, wherein said PIN-availability step determines that said authentic PIN is not available if said owner of said self-authenticating document is not available.
95. A system for reading a self-authenticating document having machine-readable data including critical document data, digital signature data and a public key certificate, the system comprising: personal identification means for receiving a personal identification number (PIN) from a presenter of said self-authenticating document; and, image scanning and processing means for reading said self-authenticating document and retrieving said machine-readable data from said self-authenticating document, and for assembling an authenticatable data string from said critical document data and said received PIN; parsing means for parsing said machine readable data to obtain said digital signature data and said public key certificate; and, validating means for certifying said public key certificate to obtain an authentic public key, and for applying said authentic public key to said digital signature data for validating said authenticatable data string, said validating means comprising: a certification validation subsystem for validating said public key certificate with a third party public key and for obtaining said authentic public key; and, a digital signature validation subsystem for validating said digital signature data with said authentic public key, wherein said self-authenticating document is authenticated if said authenticatable data string is validated.
96. The system of claim 95 , wherein said machine-readable critical document data includes data stored in a first and second format on said self-authenticating document, and wherein said image scanning and processing means comprises: a first machine-readable data reading system for reading said critical document data stored in a first format from said self-authenticating document; and, a second machine-readable data reading system for reading said critical document data stored in a second format from said self-authenticating document.
97. The system of claim 96 , wherein said first format is magnetic ink character recognition (MICR) code, and said second format is bar code, and wherein said first machine-readable data reading system reading system is a MICR reader, and said first machine-readable data reading system reading system is a bar code reader.
98. The system of claim 95 , wherein said machine-readable critical document data is stored in a bar code format on said self-authenticating document, and wherein said image scanning and processing means includes a bar code reading system for reading said bar code format to retrieve said critical document data.
99. A system for reading a self-authenticating document, said self-authenticating document having machine-readable data including first critical document data stored on a magnetic ink character recognition (MICR) line, and first and second digital signatures, and a public key certificate stored on a bar code line, the system comprising: a personal identification subsystem for receiving a personal identification number (PIN) from a presenter of said self-authenticating document; and, an image scanner and processor system for reading said self-authenticating document and retrieving said machine readable data from said self-authenticating document, and for assembling an authenticatable data string from said first critical document data and said received PIN, said image scanner and processor including: a magnetic ink character recognition (MICR) reader subsystem for retrieving said first critical document data from said MICR line; a bar code reader subsystem for retrieving said first and second digital signatures and said public key certificate stored on a bar code line; a parsing subsystem for parsing said bar code to obtain said first and second digital signatures and said public key certificate; and, a validating subsystem for certifying said public key certificate to obtain an authentic public key and for applying said antic public key to at least said second digital signature for validating said authenticatable data string, wherein said self-authenticating document is authenticated if said authenticatable data string is validated.
100. The system of claim 99 , wherein said machine-readable data further includes second critical document data stored in said bar code line, wherein said bar code reader subsystem further retrieves said second critical document data stored in said bar code line, and wherein said authenticatable data string assembled by said image scanner and processor subsystem includes said second critical document data.
101. The system of claim 100 , wherein said second critical document data comprises ASCII text from said self-authenticating document.
102. The system of claim 101 , wherein said ASCII text is the account name and address printed on said self-authenticating document.
103. The system of claim 99 , wherein said validating means further applies said authentic public key to said first digital signature to validate said critical document data when no PIN is received, and wherein said self-authenticating docent is authenticated if said critical document data is validated.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
November 7, 2000
May 23, 2006
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.